Oracle® iPlanet Web Proxy Server Release Notes Release 4.0.16 Part Number E18782-01 |
|
|
View PDF |
This chapter contains information about the features, enhancements, and resolved issues in the 4.0.16 release of Oracle iPlanet Web Proxy Server. Read this document before installing and configuring Oracle iPlanet Web Proxy Server, and then periodically thereafter for the most up-to-date information. This chapter also provides information about the platforms, software, technologies, and protocols that the latest release supports.
This chapter contains the following sections:
In addition to fixing several bugs, as listed in Section 1.2, "Issues Resolved in 4.0.16," the 4.0.16 release of Oracle iPlanet Web Proxy Server provides the following enhancement:
The um-define-junction
SAF now accepts several new parameters to configure cookie rewriting. For more information about this enhancement, see Section 3.2.4, "New Parameters of the um-define-junction SAF."
Table 1-1 lists the issues resolved in Oracle iPlanet Web Proxy Server 4.0.16. The documentation issues are prefixed "Doc:" in the Summary column of the table.
Table 1-1 Issues Resolved in Oracle iPlanet Web Proxy Server 4.0.16
Issue ID | Summary |
---|---|
6941325 |
Doc: Cache capacity needs to be updated in the admin guide. See Section 3.2.1, "Increase in the Maximum Cache Capacity." |
6943974 |
Doc: Flexible logging option See Section 3.2.2, "%Req->vars.xfer-time% Option of the flex-init Function." |
6976513 |
Optionally strip newlines off clf-request while creating access log entries. For more information, see Section 3.2.3, "clf-request-leading-whitespace Parameter of the flex-log SAF." |
6977597 |
admin: Need better documentation/awareness on "open proxy security hole" (bug# 6565436). |
6977869 |
Event scheduler should report completion of scheduled commands by an appropriate message in the error log. |
6981847 |
URL filter: Hash table lookups happen without locking. |
6984479 |
WPS4.0.14 support matrix is not correct. |
6987488 |
SOCKS server does not allow log file names longer than 128 characters. |
6988564 |
admin: Place a consistent limit on the length of a new instance's server ID. |
6989877 |
URL mapping neither rewrites nor forwards domain parameters in Two new parameters— |
6991199 |
Proxy should start correctly when there is a pid file with nonrelated PID. |
6991975 |
URL mapping: Need feature to rewrite path parameters of Two new parameters— |
6994416 |
Doc: See Section 3.2.5, "Clarification About Unit of Time Used for the %duration% Log Option." |
6997088 |
Should support |
7001073 |
Doc: ACL database name does not work. See Section 3.2.6, "Clarification About the Need to Explicitly Select New Directory Services." |
7002721 |
Enhance verbose and finest logging for LDAP database errors. |
7003922 |
cluster: Admin Server with SSL can't add server to cluster database and transfer files. |
7006581 |
WPS4.0.12: High CPU usage. |
7006595 |
Version changes for 4.0.16. |
7006908 |
Doc: Document the cookie rewriting feature newly added to URL mapping. See Section 3.2.4, "New Parameters of the um-define-junction SAF.". |
7006910 |
Doc: Document the new parameter added to the "flex-log" SAF. For more information, see Section 3.2.3, "clf-request-leading-whitespace Parameter of the flex-log SAF." |
7007911 |
cluster: Admin CGI crashes while attempting to transfer configuration to slave. |
7007928 |
cluster: SSL clients in admin CGIs should trust all server certs by default. |
7009238 |
LDAP connection problem when in Windows 2008. |
7010394 |
Server crash during startup while processing incorrectly formatted |
7011418 |
URL mapping: Redirects lose the query string. |
7014437 |
URL mapping: Content/URL rewriting produces corrupted responses. |
7015526 |
Blank page is displayed on clicking the Cluster tab in the Administration Server interface (HP-UX). |
The following table lists the patches available for Oracle iPlanet Web Proxy Server 4.0.16 on My Oracle Support (http://support.oracle.com
).
Platform | Patch ID |
---|---|
HP-UX | 145608-02 |
Linux x86 | 145605-02 |
Solaris SPARC (32-bit) | 145604-02 |
Solaris x86 (32-bit) | 145606-02 |
Windows (32-bit) | 145607-02 |
This section provides information about the hardware and software requirements of Oracle iPlanet Web Proxy Server 4.0.16.
This section includes the following topics:
Complete information about supported operating environments and hardware for Oracle iPlanet Web Proxy Server 4.0.16 is available in the Oracle iPlanet Web Proxy Server 4.0.14+ Certification Matrix, which is available at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
System virtualization is a technology that enables multiple operating system (OS) instances to execute independently on shared hardware. Functionally, software deployed to an OS hosted in a virtualized environment is generally unaware that the underlying platform has been virtualized. Oracle performs testing of its products on select system virtualization and OS combinations to help validate that Oracle products continue to function on properly sized and configured virtualized environments as they do on non-virtualized systems.
For information about support for Oracle products in virtualized environments, see:
http://www.oracle.com/technetwork/middleware/ias/oracleas-supported-virtualization-089265.html
In addition to the requirements provided in Oracle iPlanet Web Proxy Server 4.0.14+ Certification Matrix, your system must also have adequate swap space:
Solaris requires a swap space that is at least as large as the amount of RAM on your system (twice the amount of RAM is recommended)
Linux requires 256 megabytes of swap space
It is recommended that you update your operating system with the latest applicable patches. Required patches are listed by platform.
The following is the required patch level for Oracle iPlanet Web Proxy Server 4.0.16 on Solaris SPARC and x86:
Solaris 8 (SPARC): 108434-18 (shared library patch for C++)
Solaris 9 (SPARC): 111711-12 (shared library patch for C++)
Solaris 9 (x86): 111713-12 (shared library patch for C++)
Solaris 10 (SPARC): NOT REQUIRED
Solaris 10 (x86): 119964-03 (shared library patch for C++)
The following are the required patch levels for Oracle iPlanet Web Proxy Server 4.0.16 in Linux:
Red Hat Enterprise Linux Advanced Server 3: compat-libstdc++-7.3-2.96.128.rpm
Red Hat Enterprise Linux Advanced Server 4: compat-libstdc++-33-3.2.3-47.3.rpm compat-libstdc++-296-2.96-132.7.2.rpm
The following are the required HP-UX patches:
HP-UX 11i Operating Environment Component-B.11.11.0412
Required patch bundle for 11i, June 2003-B.11.11.0306.1
Gold Base patches for HP-UX 11i, December 2006-B.11.11.0612.459
Gold Application patches for HP-UX 11i, December 2006-B.11.11.0612.459
Pthread enhancement and fixes-PHCO_29109
Pthread.h fix and new enhancement-PHCO_27633
libc manpage cumulative patch-PHCO_29328
libc cumulative patch-PHCO_29495
Java Out-of-Box-JAVAOOB, 1.0.00.02
The Java Out-of-Box tool is used to configure the necessary kernel tunable parameters. Use of this tool is the recommended method for modifying kernel values. If necessary, modify the following tunable parameters to reflect a value equal to or greater than the following:
nkthreads— 3635
maxfiles-60
maxfiles_lim-1024
max_thread_proc-512
maxswapchunks-2048
nfile4-136
ncallout-3651
nproc-2068
Caution:
Modifying the kernel tunable parameters can have adverse impacts on your system. Do not modify the parameters without understanding all the potential risks to your system.Complete information about supported web browsers for Oracle iPlanet Web Proxy Server 4.0.16 is available in Oracle iPlanet Web Proxy Server 4.0.14+ Certification Matrix, which is available at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
Operating System Versions. As of the release of Oracle iPlanet Web Proxy Server 4.0.16, the following operating system versions are deprecated and will become unsupported in a future release of Proxy Server:
Web Browser Versions. As of the release of Oracle iPlanet Web Proxy Server 4.0.16, the following web browser versions are deprecated and will become unsupported in a future release of Proxy Server:
The recent releases of Proxy Server include the enhancements described in the following subsections.
Oracle iPlanet Web Proxy Server 4.0 supports transparent proxy for HTTP/1.1 connections. Transparent proxying involves intercepting and processing web requests by using the proxy server, without the knowledge or control of clients. For example, a router for a local network is configured to redirect incoming TCP connections to the local port, in which the proxy server is active.
Add the following directive to the proxy server default
object in the obj.conf
file:
NameTrans fn="host-map"
This configuration enables the proxy server to use the HTTP Host:
header of incoming requests to identify and redirect the request to the target remote server.
Note:
Transparent proxy servers that decide connections based on the HTTPHost:
headers are vulnerable to fake HTTP Host:
headers forged through the active content. Therefore, suitable ACL configurations must be implemented to prevent connections to web sites that might host malicious content.URL mapping was implemented in Oracle iPlanet Web Proxy Server 4.0.8. It enables the Proxy Server to act as a reverse proxy. This feature enables Proxy Server to provide a single front-end host name for back-end application servers. Based on a requester's URI, access is provided to back-end servers.
For more information about URL mapping, see "Reverse Proxy Scenario" in Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference.
For information about Server Application Functions (SAFs) used in URL mapping, see "Server Application Functions (SAFs)" in Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference.
The monitoring capabilities of Proxy Server provide a detailed list of the server parameters that you can monitor at instance level.
From the Proxy Administration Server, you can perform the following actions:
View server statistics at an instance level
Enable or disable parameters at an instance level
To monitor the server, do the following:
Access the Administration Server
Click the Instance link from the Manage Servers page
Click the Server Status tab
Click the Monitor Current Activity tab
Set the Monitoring Current Activity to ON to monitor the server
You can also refresh the server in intervals of 5,10, and 15 seconds and view the statistics of the DNS
, Keep-Alive
, Cache
, Server Requests,
and Work Thread
connections.
The embedded DNS supports the nondefault name resolution. The DNS client interacts with a DNS server to perform the name resolution. The new SAF dns-lookup
, receives the DNS server's IP address as a server argument. This IP address should be added as a DNS directive in the obj.conf
file.
In the following example, the IP address of the DNS server is specified in the server parameter:
<object> .... DNS fn="dns-lookup" server="170.168.10.3" ... </object>
In the following example, you can add multiple DNS server IPs to dns-lookup-init
, and it will be used in a round-robin model. In this scenario, do not add DNS server IP address to dns-lookup
. If DNS server parameters are added to both dns-lookup
and dns-lookup-init
, the dns-lookup
argument will take precedence.
... <Object> ... DNS fn="dns-lookup" .... Init fn="dns-lookup-init" servers="170.168.10.3, 170.158.10.4" </Object>
ACLCacheMax
is a magnus.conf
parameter that sets a limit to the total number of ACLs stored in the ACL cache. There is no default value for ACLCacheMax
and it should be configured for a specific limit.
For example, ACLCacheMax 16384
Note:
The ACL cache in this context does not refer to the ACL user cache. It refers to a cache where ACLs are applicable to specific URLs that are cached for performance reasons.GCAtStartup
is a magnus.conf
parameter that allows a Boolean value. By default, the value is false; if set to true, cache garbage collector clears the garbage during the server startup. This can increase the server startup time when the cache size is large.
PURGE
FeatureOracle iPlanet Web Proxy Server allows PURGE
requests to clear the cached URL. If the requested URL is purged successfully, a response with an HTTP status code of 200 (OK) is sent by the server. If the specified URL is not cached, a 404 (Not Found) response is sent.
In the following example, the server returns the value 200:
bash-2.03$ telnet localhost 8088 Trying 172.9.10.1... Connected to localhost. Escape character is '^]'. PURGE http://foo.com/ HTTP/1.0 HTTP/1.1 200 OK Server: Oracle-iPlanet-Proxy-Server/4.0 Date: Fri, 26 Oct 2007 08:15:30 GMT Connection: close
In the following example, the server returns the value 404:
Connection closed by foreign host. bash-2.03$ telnet localhost 8088 Trying 172.9.10.1... Connected to localhost. Escape character is '^]'. PURGE http://foo.com/ HTTP/1.0 HTTP/1.1 404 Not Found Server: Oracle-iPlanet-Proxy-Server/4.0 Date: Mon, 17 Sep 2007 10:13:28 GMT Content-length: 96 Content-type: text/html Connection: close
You can connect to an IPv6-enabled web site through Oracle iPlanet Web Proxy Server 4.0.11. Proxy Server also supports the ftp
extension for IPv6 in default (passive) mode.
Oracle iPlanet Web Proxy Server 4.0.16 supports Network Security Services (NSS) 3.12.6 and Netscape Portable Runtime (NSPR) 4.8.4.
From the Oracle iPlanet Web Proxy Server 4.0.6 release, support for extended address passive port (EPSV) mode has been introduced.
From the Oracle iPlanet Web Proxy Server 4.0.2 release, the installer supports the upgrade of an existing Oracle iPlanet Web Proxy Server 4.0 installation to the later release. For the Java Enterprise System installations of Oracle iPlanet Web Proxy Server 4.0.1, you must install the patches that correspond to the later release.
Oracle iPlanet Web Proxy Server 4.0.12 provides hardware accelerator support for Sun Crypto Accelerator 6000, a cryptographic accelerator board that enhances the performance of SSL on Proxy Server.
Daylight Savings Time (DST) starts in U.S.A from the 2nd Sunday of March and ends on the 1st Sunday of November. This impacts the date and time rules of the operating system.
To ensure that the log files contain the correct time in US time zones, and that the Administration Server is not impacted by this change, do the following:
Download and install the appropriate operating system patches.
For other platforms, download similar DST-compatible patches from the respective operating system vendor's web site.
For Solaris, Windows, and Linux, run Proxy Server with JRE 1.5.0_12. For HP-UX, run Proxy Server with JRE 1.5.0_12.